Re: [PATCH 0/3] KEXEC_SIG with appended signature

From: Nayna
Date: Thu Nov 18 2021 - 17:34:36 EST

On 11/16/21 04:53, Michal Suchánek wrote:
On Mon, Nov 15, 2021 at 06:53:53PM -0500, Nayna wrote:
On 11/12/21 03:30, Michal Suchánek wrote:

On Thu, Nov 11, 2021 at 05:26:41PM -0500, Nayna wrote:
On 11/8/21 07:05, Michal Suchánek wrote:

The other part is that distributions apply 'lockdown' patches that change
the security policy depending on secure boot status which were rejected
by upstream which only hook into the _SIG options, and not into the IMA_
options. Of course, I expect this to change when the IMA options are
universally available across architectures and the support picked up by

Which brings the third point: IMA features vary across architectures,
and KEXEC_SIG is more common than IMA_KEXEC.



KEXEC_SIG makes it much easier to get uniform features across
Architectures use KEXEC_SIG vs IMA_KEXEC based on their requirement.
IMA_KEXEC is for the kernel images signed using sign-file (appended
signatures, not PECOFF), provides measurement along with verification, and
That's certainly not the case. S390 uses appended signatures with
KEXEC_SIG, arm64 uses PECOFF with both KEXEC_SIG and IMA_KEXEC.
Yes, S390 uses appended signature, but they also do not support

On the other hand for arm64/x86, PECOFF works only with KEXEC_SIG. Look at
the KEXEC_IMAGE_VERIFY_SIG config dependencies in arch/arm64/Kconfig and
KEXEC_BZIMAGE_VERIFY_SIG config dependencies in arch/x86/Kconfig. Now, if
KEXEC_SIG is not enabled, then IMA appraisal policies are enforced if secure
boot is enabled, refer to security/integrity/ima_efi.c . IMA would fail
verification if kernel is not signed with module sig appended signatures or
signature verification fails.

In short, IMA is used to enforce the existence of a policy if secure boot is
enabled. If they don't support module sig appended signatures, by definition
it fails. Thus PECOFF doesn't work with both KEXEC_SIG and IMA_KEXEC, but
only with KEXEC_SIG.
Then IMA_KEXEC is a no-go. It is not supported on all architectures and
it principially cannot be supported because it does not support PECOFF
which is needed to boot the kernel on EFI platforms. To get feature
parity across architectures KEXEC_SIG is required.

I would not say "a no-go", it is based on user requirements.

The key takeaway from this discussion is that both KEXEC_SIG and IMA_KEXEC support functionality with some small degree of overlap, and that documenting the differences is needed.  This will help kernel consumers to understand the difference and enable the appropriate functionality for their environment.

As per my understanding:

* Supports kernel image verification
* Linked with secureboot state using downstream patch
* Supports PECOFF and module sig appended signature format
* Supports blocklisting of keys

* Supports kernel image verification
* Linked with secureboot state in upstream
* Supports module sig appended signature format and signatures in extended attribute.
* Supports blocklisting of keys
* Supports blocklisting single kernel binary
* Supports measurements for attestation
* Supports audit log

Users can enable the option based on their requirements.

Thanks for the good discussion and enabling KEXEC_SIG for POWER as well. It would be good to have updated kernel documentation to go along with KEXEC_SIG support in the patchset.

Thanks & Regards,
    - Nayna